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[57] ABSTRACT 

Disclosed is a system and method for handling a plurality of 
connection requests made for a plurality of virtual machines 
with a single physical machine. A system and method are 
disclosed for distributing virtual connections among a plu- 
rality of physical machines some or all of which are con- 
figured to handle connections for more than one virtual 
machine. In one embodiment, a packet translation system for 
handling connections from clients on an external network to 
a plurality of IP addresses with a server having a server IP 
address and a server port number includes a client interface 
to the external network. The client interface is operative to 
receive and send packets to and from a remote client. A 
server interface is operative to receive and send packets to 
and from the server and the server is operative to establish 
a connection with the remote client. A packet interceptor is 
operative to intercept incoming packets received at the client 
interface which have a packet destination IP address and a 
packet destination port number corresponding to a virtual 
machine IP address and a virtual machine port number 
which is supported by the packet translation system. A 
packet header translator is operative to translate the packet 
destination IP address and the packet destination port num- 
ber of packets forwarded by the packet interceptor to a 
physical machine IP address and a physical machine port 
number that corresponds to the server IP address and the 
server port number of the server. The server port runs a real 
process corresponding to a virtual process simulated on the 
virtual port number. As a result, the packet translation 
system receives packets at the client interface and the packet 
destination IP address and the packet destination port num- 
ber corresponding to the virtual machine IP address and the 
virtual machine port number are translated to the server IP 
address and the server port number and the packets arc 
forwarded to the server via the server interface. 

23 Claims, 10 Drawing Sheets 
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SYSTEM AND METHOD FOR 
IMPLEMENTING MULTIPLE IP ADDRESSES 
ON MULTIPLE PORTS 

CROSS REFERENCE TO RELATED 
APPLICATIONS 

This application is a continuation in part of application 
Ser. No. 08/552,807 filed Nov. 3, 1995, now U.S. Pat. No. 
5,793,763, which is incorporated herein by reference for all 
purposes. 

This application is related to application Ser. Nos. 08/850, 
248 now abandoned and 08/850,836 now pending, filed 
concurrently herewith, which are incorporated herein by 
reference for all purposes. 

BACKGROUND OF THE INVENTION 

The present invention relates to methods and apparatus 
for implementing multiple IP addresses on multiple ports of 
a physical machine. More specifically, the invention relates 
to methods and apparatus for intercepting packets which are 
addressed to a virtual port on a virtual machine and trans- 
lating the destination IP address and the destination port 
number to a destination IP address and destination port 
number of a physical machine which acts as a host or server 
and is selected to handle connections. 

With the recent explosive growth of the Internet, a very 
large percentage of businesses, including many small 
businesses, desire to have an internet site which is dedicated 
to them. An internet site is generally implemented on an 
internet server which is connected to the internet via an 
internet service provider (ISP). As described in to 
co-pending application Ser. No. 08/850,248 now abandoned, 
(Attorney Docket No. CISCP005 previously incorporated by 
reference, some internet sites are busy enough to require a 
plurality of servers in order to handle all of the connections 
which are made to those sites. Accordingly, co-pending 
application Ser. No. 08/850,248 now abandoned, (Attorney 
Docket No. CISCP005 describes a system and method for 
monitoring the availability of servers at an Internet site 
which simulate a virtual server and preferentially sending 
new connection requests to servers which are available for 
connections and which are likely to have faster response 
times. For less visited sites, the opposite situation is pre- 
sented. Instead of one site requiring a plurality of servers, it 
would be desirable to combine a plurality of sites on a single 
server, since each one of the individual sites would not 
require all of the capacity of the server in order to service its 
connection traffic. 

One way of handling this would be to provide a plurality 
of small sites on a single server which can support a plurality 
of connections to a plurality of IP addresses. Currently, 
servers which are capable of having two or more physical 
connections to other networks are referred to as multihomed 
hosts. Multihomed hosts must have a unique IP address for 
each of their physical connections. 

FIG. 1 is an illustration of a multi-homed server 102 
which serves three different IP addresses. Messages sent to 
a first IP address x.x.x.l are routed to a first set of ports 104, 
which includes a port 80 which services Worldwide Web 
traffic, a port 20 which is the FTP data port, and a port 23 
which is the Telnet port. Other ports may also be included 
within set of ports 104. The Worldwide Web, the FTP data, 
and the TelNet ports are mentioned because they are well 
known port numbers which by convention, always support 
those respective functions. A second set of ports 106 also 
includes a port 80, a port 20, and a port 23 which receive 
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connections for IP address x.x.x.2, and a third set of ports 
108 receive connections which are made to IP address 
x.x.x.3. 

Each set of ports which responds to an IP address is an 

5 Internet site. A first set of ports 104 corresponds to the site 
whose domain name is sitel.com. A second set of ports 106 
corresponds to a site whose domain name is site2.com, and 
a third set of ports 108 corresponds to an Internet site whose 
domain name is site3.com. Multi-homed server 102 thus 

10 supports connections for each of the Internet sites and 
accepts connections to the IP address which represents each 
respective site. For each site, a set of daemons are run at each 
of the ports, including the well-known ports for that site. 
While multihomed hosts make it possible to handle mul- 

15 tiple connections to a different IP addresses on a single 
server, multihomed hosts can create problems in managing 
traffic. Furthermore, not all commercially available servers 
or operating systems are configured to be capable of func- 
tioning as a multihomed host. It would therefore be desirable 

20 if a system and method for servicing a plurality of IP 
addresses could be developed for servers which do not act as 
multihomed hosts. 
It is also true that Internet traffic tends to be distributed 

^ among sites in a manner which is nonhomogenous. That is, 
certain sites receive a very large quantity of traffic while 
others receive little or no traffic. Furthermore, traffic on 
certain cites may increase or decrease unpredictably. It 
would be desirable if a flexible system and method could be 

30 developed for sharing connection load among a group of 
servers in a manner that would not require any of the servers 
to be multihomed servers, but that would allow each server 
to service more than one site and multiple servers to share 
the load for individual sites. 

3S SUMMARY OF THE INVENTION 

The present invention provides a system and method for 
handling a plurality of connection requests made for a 
plurality of virtual machines with a single physical machine. 

40 The present invention further provides a system and method 
for distributing virtual connections among a plurality of 
physical machines some or all of which are configured to 
handle connections for more than one virtual machine. 
In one embodiment, a packet translation system for han- 

45 dling connections from clients on an external network to a 
plurality of IP addresses with a server having a server IP 
address and a server port number includes a client interface 
to the external network. The client interface is operative to 
receive and send packets to and from a remote client. A 

50 server interface is operative to receive and send packets to 
and from the server and the server is operative to establish 
a connection with the remote client. A packet interceptor is 
operative to intercept incoming packets received at the client 
interface which have a packet destination IP address and a 

55 packet destination port number corresponding to a virtual 
machine IP address and a virtual machine port number 
which is supported by the packet translation system. A 
packet header translator is operative to translate the packet 
destination IP address and the packet destination port num- 

60 ber of packets forwarded by the packet interceptor to a 
physical machine IP address and a physical machine port 
number that corresponds to the server IP address and the 
server port number of the server. The server port runs a real 
process corresponding to a virtual process simulated on the 

65 virtual port number. As a result, the packet translation 
system receives packets at the client interface and the packet 
destination IP address and the packet destination port num- 
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ber corresponding to the virtual machine IP address and the physical machine. The IP address is issued by a central 

virtual machine port number are translated to the server IP authority known as the Internet Assigned Number Authority 

address and the server port number and the packets are ("IANA"). Also, in TCP/IP, the fourth layer or transport 

forwarded to the server via the server interface. layer is the TCP layer. The TCP layer additionally requires 

5 a machine port number so that the packet is sent to the 

BRIEF DESCRIPTION OF THE DRAWINGS correct port of a specific machine. The present invention is 

implemented in one embodiment by redefining virtual des- 

FIG. 1 is an illustration of a multi-homed server 102 tinatioQ Ip addrcsses and port numb ers in packet headers so 

which serves three different IP addresses. that mbound packets are routed by a Director to a port 

FIG. 2 A illustrates a system in which a Local Director 1Q number of a specific physical machine that runs an appro- 
intercepts packets for a plurality of IP addresses and sends priate daemon to service the destination virtual port number 
them to the appropriate port on a machine which has only on the virtual destination machine, 
one IP address but which is implementing processes for a Normally, a human user of the Internet addresses bis or 
plurality of IP addresses on its various ports. her request to a particular internet site by specifying a 

FIG. 2B shows a typical computer-based system which 25 particular domain name (for example, www.NameX.com). 

may be used as a Local Director of the present invention. The user also requests a specific port for the server which is 

FIG. 3 is a block diagram of a network segment which t0 service the request. The request may be directed to port 

includes many virtual machines corresponding to many 80 » for example, which is the well known port that services 

different IP addresses which are implemented on a group of htt P °* Worldwide web traffic. By convention, all servers 

physical machines which can service the IP addresses. 20 nave a daemon which runs on port 80 that runs a process 

FIG. 4AiUustrates a process which is implemented on the WorldWid <* web traffic - Similarly, other well 

Local Director for defining virtual machines and binding known P orts have other daemons nmmn g 0D wmch 

them to physical machines and ports. also ™ standard processes. Other ports may also be imple- 

... , ...,,« mented which are not well known ports and which run any 

FIG. 4B illustrates the data structure within the Local „ m „„„ *u,* • k„ *u- ,, rD r 

rx . t . , oc process mat is specified by tne user. 

Director in one embodiment. A ™ 1 . r a. e j-j* 

An IP packet sent by a user for the purpose of sending data 

FIG. 5 is a flow diagram which illustrates a process for t0 M existing CODnection or establishing a connection con- 
finding a virtual machine to handle a new connection, if one tains an Ip address m j te neader f or me destination machine 
exists ' to which the connection is made and also a port number for 

FIG. 6 A illustrates the data structure of a virtual machine 30 the destination machine. The IP address is obtained from a 

object. Domain Name Service (DNS) server that returns an TP 

FIG. 6B illustrates the data structure of a physical address for the domain name selected by the user. The port 

machine object. number is selected by the user to be either a well known port 

FIG. 6C illustrates a connection object data structure. or else some otner P ort which me ^ er ^ows has a certain 

ct^ cr\ *ii * * n * u ■ * jj 4 * 4 35 daemon running on it with which the user desires to interact. 

FIG. 6D illustrates a Port object data structure. ™ & . , 

mrt „ . n . The present invention implements a plurality of internet sites 

FIG. 7 is a flow diagram which illustrates a preferred on a single by mnnin all of me ^mous for each 

process for handling an incoming packet which is addressed mternet site on a different set of ports ^ m defined for mat 

to one of the virtual machines implemented on the Local site A . (Local Direc tor" is provided to intercept packets 

Director. ^ wn j cn are directed to certain ports by a user. Once a packet 

FIG. 8 is flow diagram which illustrates the process from a user is intercepted, the Local Director translates the 

implemented by the Local Director to translate the destina- destination port number specified by the user to the desti- 

tion IP address and port number of an incoming data packet nation port number which corresponds to the port on which 

from a client and route that data packet to the proper a server is running the daemon for the user specified port of 

physical machine which is connected to the Local Director. 45 the user specified destination IP address. 

FIG. 9 is a flow diagram which describes the process Different IP addresses, for example, have the daemons 

implemented on the Local Director for translating and which are supposed to run on their respective well known 

routing data packets outbound to clients. ports running on different ports of the machine on which 

DESCRIPTION OF THF PRFFFRRFH multiple IP addresses are implemented. The user need never 

DESCRIPTION OF TOEPREFERRED 5Q leam tQ what pQrts ^ wU knQWQ ^ fof eacfa jp 

are mapped. The Local Director takes care of changing the 

The basic problem of networking a set of devices has been well known port number requested by the user to the 

divided into layers. The bottom layer is a physical layer. It appropriate mapped port number in each packet sent by the 

handles the actual physical connections between devices. user. Furthermore, the user need never know or discover the 

The second layer is the data link layer. It describes how the 55 IP address of the machine to which the connection is being 

data is formatted which is on the physical medium which made since the Local Director also takes care of replacing 

connects the devices. The third layer is the network layer. It the IP address and port number requested by the user with 

handles cases where there is greater than one connection per the IP address and port number of the machine which 

machine. The fourth layer is the transport layer. This deter- implements that IP address in each packet sent by the user, 

mines that all of the messages from a source reach the 60 Since the Local Director maps IP addresses and port num- 

destination reliably and in an unduplicated fashion. The bers in packets sent by the user to a new IP addresses and 

second layer is subdivided into a Logical Link Control port number, it is possible to implement many IP addresses 

("LLC) layer and a Media Access Control ("MAC") layer. and port numbers on a single machine which only has a 

A MAC address is required in this layer. In the TCP/IP suite single IP address of its own, as well as many ports which run 

of protocols employed on the Internet, the third layer or 65 all of the daemons that the user expects to find on the ports 

network layer is the IP layer. This layer requires a globally of the machine corresponding to the IP address to which the 

unique IP address in order to route packets to the right user is attempting to connect. 
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FIG. 2A illustrates a system in which a Local Director 200 machine database 216. Virtual machine database 214 con- 
intercepts packets for a plurality of IP addresses and sends tains a list of all the virtual machines supported by Local 
them to the appropriate port on a machine which has only Director 200. They are stored as virtual machine objects, 
one IP address but which is implementing processes for a Physical machine database 216 contains a list of all the 
plurality of IP addresses on its various ports. A network 5 physical machines available to Local Director 200 to imple- 
communication line 202 receives requests from a client over ment the virtual machines in virtual machine database 214. 
the Internet 203. Network communication line 202 carries When a SYN request for a new connection is intercepted by 
packets which are addressed to three different Internet sites Local Director 200, Local Director 200 checks virtual 
having the IP addresses x.x.x.l, x.x.x.2, and x.x.x.3. For the machine database 214 to determine whether the destination 
purposes of this example, each of the packets illustrated also ip address and port number corresponds to a virtual machine 
contain the destination port 80. As mentioned above, port 80 ma t is supported by Local Director 200. If a virtual machine 
is the well known port which runs a daemon that services matc h is found, then physical machine database 216 is used 
hup or Worldwide web traffic. to fi nd a physical machine which is linked to the virtual 

It should be recognized that in the above paragraph and machine for which a connection is being requested. In 

throughout this specification, the user who is accessing J5 certain embodiments, a session distribution scheme such as 

internet site via Local Director 200 is referred to as the a session distribution scheme as described in U.S. patent 

"client," and the group of machines associated with Local application Ser. No. 08/850,248 filed May 2, 1997 (Attorney 

Director 200 are referred to as "servers/' It should, however, Docket No. CISCP005) previously incorporated by 

be recognized that in certain applications, the group of reference, is used to determine the best physical machine 

machines associated with Local Director 200 would actually 2Q from among all of the physical machines available to handle 

be considered the client and the device on the other side of the requested connection. 

Local Director 200 would be considered the server. Such To the client who is sending and receiving packets on 
applications also fall within the scope of the present inven- network communication line 202, it appears that a connec- 
tion. It should also be recognized that, although the embodi- fan has been made to the virtual machine which corre- 
ment described establishes connections to the Internet using ^ S ponds to the virtual destination IP address specified by the 
TCP/IP, the present invention may also be used in conjunc- c ij ent . xh e c ij ent does not mat address and port 
tion with other protocols to connect to a LAN or WAN. number are translated by Local Director 200 and actually 

Local Director 200 contains a packet interceptor 204 handled by physical machine 210. Outbound packets from 

which intercepts packets containing certain destination IP physical machine 210 are intercepted by a packet interceptor 

addresses and port numbers. An address and port number 30 218 and the source IP address and port number of those 

translator 206 replaces the destination IP address and des- packets is translated by an address and port number trans- 

tination port number in the packets with the address and port Utor 220. Packet interceptor 218 and port number translator 

number of a physical machine 210 which implements the 220 use connection database 212 to find correct virtual IP 

virtual machine that corresponds to the destination IP address and port number to replace the IP address and port 

addresses specified by the client on network communication 35 number of physical machine 210 as the source IP address 

fine 202. anc j p 0r t number of the packet. Thus, not only is the 

The term virtual machine is used to describe a machine connection requested by a client to a virtual machine redi- 

which corresponds to the destination IP address specified by rected without the client's knowledge to physical machine 

the client because no such physical machine actually exists. 210, but the returned packets from physical machine 210 are 

However, the virtual machine appears to exist to the client 40 altered so that it also appears to the client that the return 

because when the client specifies the IP address of the virtual packets are sent from the virtual machine which the client 

machine in a packet, that packet is handled by physical attempted to access. 

machine 210 as if the virtual machine actually existed as a Physical machine 210 is able to handle packets intended 

physical machine with the virtual machine IP address. By for each of the virtual machines implemented on physical 

translating the IP addresses and port numbers in packets 45 machine 210 because those packets all have destination 

whose destination IP address and port number corresponds addresses translated by Local Director 200 to be y.y.y.l, the 

to a virtual machine which Local Director 200 is supporting, IP address of physical machine 210. Each of the port 

Local Director 200 enables physical machine 210 to imple- numbers requested by the client are likewise translated to an 

ment each of the virtual machines. individual port on physical machine 210 that implements the 

Address and port number translation is supported on 50 appropriate daemon for the client requested port number. In 

Local Director 200 by a connection database 212. Connec- the example shown, port 80 of the first IP address is 

tion database 212 contains a mapped destination IP address implemented on port 8001, port 80 of the second IP address 

and mapped port number for each connection made to a is implemented on port 8002, and port 80 of the third IP 

virtual machine IP address and a virtual port number that is address is implemented on port 8003. Thus, physical 

supported by Local Director 200. This information is stored 55 machine 210 need not be a multi-homed server capable of 

in connection objects contained in connection database 212. supporting a multiple number of physical connections to 

Thus, for each connection being currently handled by Local different IP addresses. Physical machine 210 need only 

Director 200, a connection object in connection database include a single physical connection for its own IP address, 

212 contains the source IP address and port number, the together with the appropriate daemons running on port 

virtual machine IP address and port number, and a physical 60 numbers which are mapped to virtual machine port numbers 

machine IP address and port number. Packets corresponding by Local Director 200. 

to a connection made from a given source IP address and It should be noted that this example illustrates the map- 
port number to a given virtual destination IP address and ping of well known port number 80 for three different virtual 
port number are sent to the destination IP address and port machines to three different ports on physical machine 210. 
number of a physical machine. 65 Likewise, all of the other well known ports (or at least as 
In order to support new connections, connection database many as are supported by physical machine 210 in a given 
212 accesses a virtual machine database 214 and a physical situation), are mapped to different ports on physical machine 
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210. Physical machine 210, therefore, can implement as to an external network such as the Internet. Preferably, each 
many virtual ports for a virtual machine as are desired in any of these interfaces includes (1) a plurality of ports appro- 
given system. priate for communication with the appropriate media, and 

Local Director 200 employs various process steps involv- (2) associated logic, and in some instances (3) memory. The 

ing data manipulation. These steps require physical manipu- 5 associated logic may control such communications intensive 

lation of physical quantities. Typically, these quantities take ^s^ 5 as packet integrity checking and media control and 

the form of electrical or magnetic signals capable of being management. The high speed interfaces 18a and ISb arc 

stored, transferred, combined, compared, and otherwise preferably multiport Ethernet interfaces, but may be other 

manipulated. It is sometimes convenient, principally for appropriate interfaces such as FDDI interfaces, etc. 

reasons of common usage, to refer to these signals as bits, 10 The computer system may also include an input device 

values, variables, characters, data packets, or the like. It (not shown) such as a keyboard. A flash memory device 22 

should be remembered, however, that all of these and similar is coupled to the input/output circuit 12 and provides addi- 

terms are to be associated with the appropriate physical tional storage capability for the computer 10. The flash 

quantities and are merely convenient labels applied to these memory device 22 may be used to store programs, data and 

quantities. * 5 the like and may be replaced with a magnetic storage 

Further, the manipulations performed are often referred to medium or some other well known device. It will be 

in terms, such as translating, running, selecting, specifying, appreciated that the information retained within the flash 

determining, or comparing. In any of the operations memory device 22, may, in appropriate cases, be incorpo- 

described herein that form part of the present invention, rated m standard fashion into computer 10 as part of the 

these operations are machine operations. Useful machines 20 memory 16. 

for performing the operations of the present invention In addition, a display monitor 24 is illustrated which is 

include general purpose and specially designed computers or used to display the images being generated by the present 

other similar devices. In all cases, there should be borne in invention. Such a display monitor 24 may take the form of 

mind the distinction between the method of operations in any of several well-known varieties of cathode ray tube 

operating a computer or other processing device and the 25 displays and flat panel displays or some other type of 

method of computation itself. The present invention relates display. 

to method steps for operating a Local Director system in Although the system shown in FIG. 2B is a preferred 

processing electrical or other physical signals to generate computer system of the present invention, the displayed 

other desired physical signals. computer architecture is by no means the only architecture 

The present invention also relates to an apparatus for on which the present invention can be implemented. For 

performing these operations. This apparatus may be spe- example, other types of interfaces and media could also be 

cially constructed for the required purposes, or it may be a used with the computer. 

general purpose programmable machine selectively acti- As noted above, the present invention allows multiple 

vated or reconfigured by a computer program stored in 3S internet sites to be implemented on a single physical 

memory. The processes presented herein are not inherently machine. The full potential of the invention is realized in 

related to any particular computer or other apparatus. In combination with a system that also includes implementing 

particular, various general purpose machines may be used single sites on many machines and distributing the traffic 

with programs written in accordance with the teachings among the machines. In such a system, the capacity of each 

herein, or it may be more convenient to construct a more ^ physical machine is used most efficiently since enough sites 

specialized apparatus to perform the required method steps. can be implemented on each machine to use the capacity of 

The general structure for a variety of these machines will the machine, but overloading of the machine is avoided 

appear from the description given below. since connections can alternatively be routed to other physi- 

Still further, the present invention relates to machine cal machines based on demand, 

readable media on which are stored program instructions for 45 FIG. 3 is a block diagram of a network segment which 

performing operations on a computer. Such media includes includes many virtual machines corresponding to many 

by way of example magnetic disks, magnetic tape, optically different IP addresses which are implemented on a group of 

readable media such as CD ROMs, semiconductor memory physical machines which can service the IP addresses. A 

such as PCMCIA cards, etc. In each case, the medium may group of TCP based servers 312 is connected to the whole 

take the form of a portable item such as a small disk, 50 of the Internet 302 through a router 304. Specifically, router 

diskette, cassette, etc., or it may take the form of a relatively 304 typically provides a connection to an Internet service 

larger or immobile item such as a hard disk drive or RAM provider. A Local Director 200 is directly connected to 

provided in a computer. router 302 and serves as a front end to group of TCP based 

FIG. 2B shows a typical computer-based system which servers 312. The group of TCP based servers 312 (including 

may be used as a Local Director of the present invention. 55 server 312A, server 312B, and server 312C in the example 

Shown is a computer 10 which comprises an input/output shown in FIG. 3 may include a large number of servers and 

circuit 12 used to communicate information in appropriately may generally provide any kind of TCP service, 

structured form to and from the parts of computer 10 and For example, the group of TCP based servers 312 may be 

associated equipment, a central processing unit 14, and a World Wide Web servers, FTP servers, mail servers, news 

memory 16. These components are those typically found in 60 servers, database servers, Telnet servers, etc., or the group of 

most general and special purpose computers 10 and are TCP based servers may each perform a combination of those 

intended to be representative of this broad category of data tasks. Servers 312A, 312 B, and 312C as well as other 

processors. servers and devices are connected to one another through a 

Connected to the input/output circuit 12 are inside and network cable 314. 

outside high speed Local Area Network interfaces 18a and 65 Requests to a virtual machine from external sites on 

18b. The inside interface 18a will be connected to a private Internet 302 are routed through Local Director 200. Local 

network, while the outside interface 18fc will be connected Director 200 determines which server of group of TCP based 
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servers 312 should receive the request A group of virtual IP are mapped to port 80 of various virtual machines. Local 

addresses are defined for the internet sites which arc imple- Director 200 translates packet IP addresses and port numbers 

mented on group of TCP based servers 312. Each virtual IP to distribute packets among all of these machines, 

address is an IP address which the outside world, including It should be noted that packets addressed to x.x.x.l and 

the rest of the Internet 302, uses to access an internet site 5 port 80 can be sent to any of the three physical machines. It 

implemented on either one or some combination of the should also be noted that packets addressed to any of 

physical machines which make up group of TCP based x.x.x.l/port 80, x.x.x.2/port 80, and x.x.x.3/port 80 can be 

servers 312. The individual identities and IP addresses of the sent to either the first or third machine. A session distribution 

individual servers within the group of TCP based servers scheme decides which physical machine is to handle each 

312 are not evident to the user. A plurality of virtual Q new connection. 

machines are implemented on different port numbers on piG. 4A illustrates a process which is implemented on 

certain of the real or physical machines. Other physical Local Director 200 for defining virtual machines and bind- 

machines may be configured to service only one specific mg them to physical machines and ports. The process starts 

site. Each virtual machine may allocate connections to a at 400 and a virtual machine IP address is defined in a step 

plurality of physical machines, or on a single physical J5 402, Virtual machine ports are denned in a step 404. 

machine if desired. Following steps 400 and 402, a virtual machine has been 

The Local Director 200 effectively simulates communi- defined which has certain ports. Next, in a step 406, a 

cation inbound to virtual machines having virtual IP physical machine object is defined with an IP address and 

addresses using the set of physical machines provided in the port numbers. In a step 408, selected physical machines are 

group of TCP based servers 312 by intercepting inbound 20 bound to a virtual machine. In one embodiment, this may be 

packets sent to a virtual machine and replacing the virtual IP accomplished one of three ways. First, an entire virtual 

address and port number with a physical machine IP address machine may be bound to an entire physical machine so that 

and port number. Similarly, the Local Director 200 effec- the same port numbers bind to each other. Second, a virtual 

tively simulates communication outbound from one or more machine may be bound to a single physical machine port, 

virtual machines by intercepting outbound packets from the ^ Third, each port of the virtual machine may be bound 

physical machines and replacing the physical machine IP individually to a physical machine port. The process ends at 

addresses with virtual machine IP addresses. 410. 

When router 304 receives a request to access an internet Once the binding process of FIG. 4A is complete, a data 

site supported by Local Director 200 by a domain name structure is created within Local Director 200 that stores the 

(e.g., www.NameX.cpm), that domain name is mapped to 30 relevant virtual machine and physical machine definitions 

the IP address of the internet site. This is done by a DNS and bindings. FIG. 4B illustrates the data structure within 

server. The DNS server does not provide a real IP address of Local Director 200 in one embodiment. A first virtual 

a real machine, but instead provides a virtual IP address of machine object 420 stores information about a first virtual 

a virtual machine which is implemented on Local Director machine. Virtual machine object 420 points to a port object 

200. Local Director 200 then receives all packets sent to 35 421 that maps the virtual port of the virtual machine onto a 

virtual IP addresses implemented on the Local Director and physical port. Virtual machine object 420 also points to a 

translates the addresses and port numbers to a selected IP Link object 422 which points to a physical machine object 

address and port number for a selected individual server 424, as well as another link object 426 that points to a 

among the group of TCP based servers 312. Local Director physical machine object 428. Together, the virtual machine 

200 accomplishes this by changing the destination IP 40 objects form a linked list that facilitates searching for the 

address and port number in each packet from the virtual IP virtual machine which corresponds to a new connection 

address and port number which corresponds to the virtual request. Likewise, the link objects form a linked list that 

machine to a real IP address and port number which corre- facilitates searching for a physical machine to handle a new 

sponds to a single physical machine, i. e. the IP address and connection. Other virtual objects such as virtual objects 430 

port number of the individual server which is selected or 45 and virtual object 440 are also defined for other virtual 

mapped to handle connections for that virtual IP address and machines. A connection object 450 and a connection object 

port number 460 contain pointers to the virtual machines and physical 

Local Director 200 thus operates to distribute packets machines which correspond to the connections which they 

among group of TCP based servers 312 by intercepting each represent. 

packet sent to a virtual machine and changing the destination 50 FIG. 5 is a flow diagram which illustrates a process for 

IP address and port number in the packet from a virtual IP finding a virtual machine to handle a new connection, if one 

address and port number to a real IP address and port number exists. The SYN packet for the new connection contains a 

which corresponds to a physical machine IP address and port destination IP address and port number. The process starts at 

number which has been made available to implement the 500. In a step 510, the virtual machine objects are searched 

virtual machine. 55 for a virtual machine object which corresponds to the source 

In the example shown, a physical machine 312A is IP address of the new packet. If one is found, then a step 520 

configured to support three IP addresses. Ports 8001, 8002, transfers control to a step 530. The port objects on the linked 

and 8003 as shown have daemons running on them which list of port objects to which the virtual machine points are 

run processes corresponding to port 80 for virtual IP checked in step 530 to determine if the destination port of 

addresses x jc jc.1, x.x.x.2, and .x.x.x.3, respectively. Physi- 60 the SYN packet is implemented on the virtual machine that 

cal machine 312Amay also contain ports that correspond to was found. If not, then control is transferred to a step 560 

the other well known ports as well as other ports, which are and an error message is sent, since the client is attempting 

not shown. Physical machine 312B supports only a single to access one of the virtual machines, but has requested a 

virtual IP address, x.x.x.l. Port 80 of the virtual machine is port which is not supported. If the destination port is found, 

therefore mapped directly to port 80 of physical machine 65 then control is transferred to a step 540 and a physical 

312B. Physical machine 312C specializes in handling machine is selected to handle the connection and a connec- 

WorldWide web traffic and so it contains only ports which tion object is created. The selection of the best physical 
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machine to handle the connection using a session distribu- 
tion algorithm is further described in to co-pending appli- 
cation Sen No. 08/850,248, (Attorney Docket No. 
CISCP0Q5 previously incorporated by reference. 

As described below, the data structures mentioned above 5 
contain the information which is necessary to send packets 
to the appropriate physical machine which implements a 
virtual machine. For the purpose of clarity, some of the 
information in the objects which relates to allocating new 
connections to the best physical machine in some embodi- 10 
ments are not shown. Other data which is found in the 
objects in certain embodiments may be found in co-pending 
applications Ser. Nos. 08/850,248 and 08/850,836, 
(Attorney Docket Nos. CISCP005 and CISCP008 previ- 
ously incorporated by reference. 15 

FIG. 6 A illustrates the data structure of a virtual machine 
object 600. Virtual machine object 600 includes a pointer to 
the next virtual machine object to facilitate searching 
through the virtual machine objects. Virtual machine object 
600 also includes a virtual machine IP address 604 which 20 
stores the IP address of one of the virtual machines which is 
being implemented by Local Director 200. A pointer 606 to 
a port object accesses a linked list of port objects which list 
the physical machine port mapping for each of the ports 
supported by the virtual machine. A pointer 608 to a link 25 
object facilitates searching for the physical machine object 
which has the best predicted response according to the 
chosen session distribution scheme. A state variable 610 
stores the state of the virtual machine. A backup variable 612 
stores a backup for the virtual machine. The purpose of state 30 
variable 610 and backup variable 612 is to support virtual 
machine backups as is further described in co-pending 
application Ser. No. 08/850,836 (Attorney Docket No. 
CISCP008) previously incorporated by reference. 

FIG. 6B illustrates the data structure of a physical 35 
machine object 620. Physical machine object 620 is used to 
store information related to a particular physical machine 
which is selected by Local Director 200 for the purpose of 
serving connections to a virtual machine. Physical machine 
object 620 contains a pointer 618 to the next physical 40 
machine object which facilitates searching among the physi- 
cal machine objects. Physical machine object 620 also 
contains the real IP address 621 of the physical machine 
which it represents. A variable 622 stores the state of the 
physical machine and a variable 624 stores the number of 45 
ditched connections to the physical machine. A variable 626 
stores the connection failure threshold and a pointer 628 
points to a backup machine. The use of variable 622, 
variable 624, variable 626, and pointer 628 to fail a physical 
machine and transfer to a backup in certain embodiments is so 
further described in described in to co-pending application 
Ser. No. 08/850,836, (Attorney Docket No. CISCP008) 
previously incorporated by reference. A port variable 630 
stores a port number which indicates whether physical 
machine object 620 corresponds to an individual port on a 55 
machine. If port variable 630 is zero, then physical machine 
object 620 corresponds to all ports of a physical machine. 
Any other number is interpreted as a port number that the 
physical machine represents. 

FIG. 6C illustrates a connection object data structure 640. 60 
Connection object 640 stores information related to indi- 
vidual connections made from a client to one of the physical 
machines. Connection object 640 includes a pointer 641 to 
the next connection object on its linked list hash chain. This 
pointer facilitates searching among the connection objects. 65 
In a preferred embodiment, the individual connection 
objects are stored in a hash chain to facilitate retrieval. 
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Connection object 640 also includes the foreign IP address 
642 and foreign port number 644 of the client which is 
making the connection, and the virtual machine address 646 
and virtual machine port number 648 of the virtual machine 
which is being implemented for the connection. Connection 
object 640 also contains a physical machine pointer 650 to 
the physical machine object which contains the information 
about the physical machine to which the connection is made. 
A Variable 652 also stores the physical machine mapped port 
number. A variable 653 stores the number of resends of a 
SYN packet by the client attempting to establish a connec- 
tion. 

FIG. 6D illustrates a Port object data structure 660. Port 
object 660 is used to map the port requested by the client to 
be accessed on the virtual machine to the port on the selected 
physical machine to which the connection is actually made. 
Port object 660 includes a pointer 662 which points to the 
next port object in order to facilitate searching the port 
objects. A variable 664 stores the port number as viewed by 
the client. A variable 666 stores the port number as mapped 
to a physical machine port. 

Using the data structures shown in FIG. 4B, and FIGS. 6A 
through 6D, Local Director 200 is able to provide the 
necessary IP addresses, port numbers, and pointers to define 
a connection object. The connection object contains all the 
information necessary to change the destination IP address 
and port number of incoming packets to the IP address and 
port number of a physical machine that is implementing a 
virtual machine. Likewise, the connection object contains all 
the information necessary to change the source IP address 
and port number of outgoing packets to the IP address and 
port number of a physical machine that is implementing a 
virtual machine. 

FIG. 7 is a flow diagram which illustrates a preferred 
process for handling an incoming packet which is addressed 
to one of the virtual machines implemented on Local Direc- 
tor 200. The process starts at 700. In a step 702, the Local 
Director enters a state wherein it intercepts all packets which 
are routed through it. Whenever a packet is received, control 
is transferred to step 704 and the packet is analyzed. The 
source IP address of the packet and the destination IP 
address of the packet are determined, as well as the type of 
packet (e.g., TCP packets SYN, ACK, ACK SYN, data, etc.) 

If the packet is a SYN packet, then control is transferred 
to a step 706. The Local Director determines if a connection 
object already exists for the SYN packet. This is accom- 
plished by searching the connection objects (e.g., connection 
objects 450 and 460 of FIG. 4B) for a connection which 
matches the foreign IP address and virtual machine IP 
address of the incoming SYN packet. In one embodiment, 
the connection objects are searched using a hash chain. A 
hashing function is used to hash virtual IP address and 
foreign IP address pairs to a given set of connections on a 
hash chain. Each connection object on an individual hash 
chain contains a pointer to the next connection object on that 
chain so that all of the connection objects on the chain can 
be quickly searched. Thus, the hashing function is used to 
quickly find a particular hash chain on which the connection 
object being searched for may be found. Each connection 
object on that hash chain contains a pointer to the next 
connection object so that if a connection object already 
exists for connection which the client is attempting to make, 
then it will be found in step 706. If no connection object is 
found, then a connection object is created in a step 710, if 
appropriate according. FIG. 5 details the process for ana- 
lyzing an incoming new connection request to determine if 
a new connection object should be created. Control is then 
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transferred to a step 712. If a connection object is found in connection. In certain embodiments, creating the connection 

step 706, then control is transferred direcdy to step 712 and object includes determining the best physical machine from 

the packet destination IP address and port number are among a group of available physical machines to handle the 

redefined using the connection object. Thus, step 712 either connection. 

sends the packet on using a newly created connection object 5 The process begins at 800. Hie Local Director has inter- 
com step 710 or the connection object which was found in cepted an incoming data packet that has a destination IP 
step 706. Step 712 is described in further detail in FIG. 8. address and port number that corresponds to one of the 
Thus, for each SYN packet received by the Local Director virtual machines which is being implemented by the Local 
for a virtual machine which is being implemented by the Director. A connection object was either found or created for 
Local Director, a connection object is either found or created 10 the packet. In a step 810, the connection object returns the 
for the connection which the SYN packet is attempting to IP address and the port number of the physical machine 
establish. An example of an instance where a connection which the connection object has specified for the connec- 
object would be found for a SYN packet is when a first SYN tion. The Local Director now has the information necessary 
packet is received by the Local Director and the ACK SYN change the destination IP address in the incoming packet by 
packet sent by the selected physical machine in response to 15 replacing the virtual machine IP address with the physical 
that SYN packet for some reason is not received by the machine IP address to which the connection is to be routed, 
client. In such a case, the client would then resend a SYN In a step 820, the Local Director changes the destination IP 
packet. Upon intercepting the resent SYN packet, the Local address of the incoming packet to match the IP address 
Director would then find the connection object which was which it obtained from the physical machine object pointed 
created for the first SYN packet which was sent to a physical ^ to by the connection object. In a step 830, the destination 
machine but was not acknowledged. In general, the connec- port number of the incoming packet is changed to the correct 
tion between the client and a physical machine may be port number for that physical machine. Since these changes 
broken at any point, resulting in the need for the client to to the packet header effect the check sums which determine 
resend a SYN packet to the server. In such a case, the SYN whether the packet has been corrupted, a step 840 adjusts the 
packet sent from the client to the server would be recognized 25 check sums so that the changes do not appear to have 
as a SYN packet for a connection which already has a corrupted the data. Next, in step 850, the packet is sent to the 
connection object. Connection objects for which there has server side of the Local Director and the process is corn- 
been no recent activity may be periodically deleted or pleted at 860. 

overwritten. FIG. 9 is a flow diagram which describes the process 

SYN packets are the only packets which are sent to a 30 implemented on the Local Director for translating and 

physical machine IP address by Local Director 200 which do routing data packets outbound to clients. A packet sent from 

not necessarily already match a connection object. If, in step one of the physical machines connected to the Local Direc- 

704, the Local Director determines that the type of packet is tor will have the proper destination IP address to the 

any other packet than a SYN packet, then control is trans- intended outside client, but the source IP address will be the 

ferred to a step 720 and the Local Director searches for a 35 source IP address of the physical machine and not the IP 

connection object which matches the source and destination address of the virtual machine which the Local Director is 

IP addresses of the packet as well as the source and desti- simulating. It is therefore necessary to replace the source IP 

nation ports. If no connection object is found for the packet address of the physical machine with the source IP address 

in step 720, then control is transferred to step 726 and the of the virtual machine which is being simulated. This is 

packet is rejected. Rejected packets may be dropped in 40 accomplished by finding the connection object for the data 

certain cases and may be bridged in others. In certain packet and using the virtual machine IP address and port 

embodiments, Local Director 200 handles rejected packets number found in the connection object, 

differently according to the type of packet. The process begins at 900. An outbound data packet is 

Whether the packet is routed using a new or found intercepted at a step 906. The Local Director then finds the 

connection object for a SYN packet, or the packet is routed 45 connection object for that data packet in a step 910. Control 

using a connection object which is found for a different type is then transferred to a step 950. In step 950, the connection 

of packet or the packet is rejected, control is transferred back object returns the virtual machine IP address and the virtual 

to 702 and the Local Director continues to intercept packets. machine port number corresponding to the virtual machine 

Local Director 200 continues intercepting and processing from which the packet is to be sent. Next, in a step 960, the 

packets until it fails or is interrupted. FIG. 7 thus illustrates 50 source IP address of the packet is replaced with the virtual 

how Local Director constantly intercepts packets, deter- machine IP address from the connection object. In step 970, 

mines whether a connection object exists for those packets, the source port number is replaced with the virtual machine 

creates connection objects where appropriate, and routes the port number. The check sum of the packet header is adjusted 

packets to their proper destination. in step 980 and finally, the packet is sent to the client side 

FIG. 8 is flow diagram which illustrates the process 55 of the Local Director in a step a 990. The process ends at 

implemented by the Local Director to translate the deslina- 995. 

tion IP address and port number of an incoming data packet The Local Director thus functions to receive packets on its 

from a client and route that data packet to the proper client side intended for a virtual machine which the Local 

physical machine which is connected to the Local Director Director is supporting and routes those packets to the 

(i.e., step 712 described from FIG. 7). The process is based so physical machine port which is running the process which is 

on the Local Director finding the connection object which expected to be run on the virtual machine port requested by 

defines the proper destination IP address and port number for the user. This is accomplished by defining a connection 

the packet so that it is sent to the right port on the right object for each of the connections requested by a client. The 

physical machine that is implementing the process corre- connection object keeps track of the virtual machine IP 

sponding to the destination IP address and port number 65 address and port number to which the client is attempting to 

specified by the client. If no connection object already connect as well as the physical machine IP address and port 

exists, the Local Director creates a connection object for the number to which the Local Director has assigned to that 
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connection. The source IP address and port number is 
replaced in all outbound data packets from physical 
machines so that it appears to the client that it is receiving 
packets from the virtual machine port which it attempted to 
access. Thus, the Local Director effectively simulates the 5 
existence of one or more virtual machines to outside clients 
that are implemented on one or physical machines that 
actually handle the clients. 

Although the foregoing invention has been described in 
some detail for purposes of clarity of understanding, it will 1° 
be apparent that certain changes and modifications may be 
practiced within the scope of the appended claims. It should 
be noted that there are may alternative ways of implement- 
ing both the process and apparatus of the present invention. 
It is therefore intended that the following appended claims 15 
be interpreted as including all such alterations, permutations, 
and equivalents as fall within the spirit and scope of the 
present invention. 

What is claimed is: 

1. A packet translation system for handling connections 20 
from clients on an external network to a plurality of IP 
addresses with a server having a server IP address and a 
server port number comprising: 

a client interface to the external network, the client 
interface being operative to receive and send packets to 25 sy ^ m ; 
and from a remote client; 

a server interface to an internal network, the server 
interface being operative to receive and send packets to 
and from the server, the server being operative to 
establish a connection with the remote client; 

a packet interceptor which is operative to intercept incom- 
ing packets received at the client interface which have 
a packet destination IP address and a packet destination 
port number corresponding to a virtual machine IP 35 
address and a virtual machine port number which is 
supported by the packet translation system; 

a packet header translator which is operative to translate 
the packet destination IP address and the packet desti- 
nation port number of packets forwarded by the packet 40 
interceptor to a physical machine IP address and a 
physical machine port number that corresponds to the 
server IP address and the server port number of the 
server, the server port running a real process corre- 
sponding to a virtual process simulated on the virtual 45 
port number; 

whereby the packet translation system receives packets at 
the client interface and the packet destination IP 
address and the packet destination port number corre- 
sponding to the virtual machine IP address and the so 
virtual machine port number are translated to the server 
IP address and the server port number and the packets 
are forwarded to the server via the server interface. 

2. A system as recited in claim 1, further including a 
connection database which includes for each connection 55 
handled by the packet translation system, a connection 
object that stores a connection source IP address and a 
connection source port number, a connection virtual 
machine IP address and a connection virtual machine port 
number, and a connection physical machine IP address and 60 
a connection physical machine port number, whereby the 
connection database provides all of the information required 
to translate the packet headers. 

3. A system as recited in claim 2, wherein the connection 
objects are stored in a linked list. 65 

4. A system as recited in claim 3 wherein the connection 
objects are searched upon the receipt of an incoming packet 



using a bash of the connection source IP address and the 
connection virtual machine IP address. 

5. A system as recited in claim 1, further including a 
virtual machine database including a plurality of virtual 
machine objects, each virtual machine object including a 
virtual machine object IP address and a virtual machine 
object port number for a virtual machine supported by the 
packet translation system. 

6. A system as recited in claim 5 wherein the plurality of 
virtual machine objects are stored in a linked list. 

7. A system as recited in claim 1, further including a 
physical machine database including a plurality of physical 
machine objects including a physical machine object IP 
address for each physical machine available to the packet 
translation system. 

8. A system as recited in claim 7 wherein the plurality of 
physical machine objects are stored in a linked list. 

9. A system as recited in claim 1 wherein the packet 
interceptor rejects packets having a packet destination IP 
address which corresponds to a virtual machine IP address 
of one of the virtual machines supported by the packet 
translation system and having a packet destination port 
which does not correspond to a virtual machine port of one 
of the virtual machines supported by the packet translation 



10. A system as recited in claim 1, wherein the packet 
interceptor is further operative to intercept outgoing packets 
received at the server interface, the outgoing packets having 
a packet source IP address and a packet source port number 
and wherein the packet header translator is further operative 
to translate the packet source IP address and the packet 
source port number of outgoing packets to a physical 
machine IP address and a physical machine port number that 
corresponds to the server IP address and the server port 
number of the server which runs a real process correspond- 
ing to a virtual process simulated on the virtual port number. 

11. A packet translation system for handling connections 
from clients on an external network to a plurality of IP 
addresses with a plurality of servers on an internal network, 
the plurality of servers having a plurality of server IP 
addresses and a plurality of server port numbers comprising: 

a client interface to the external network, the client 
interface being operative to receive and send packets to 
and from a remote client; 
a server interface to the internal network, the server 
interface being operative to receive and send packets to 
and from a server, the server being operative to estab- 
lish a connection with the remote client; 
a connection distributor which is operative to distribute 
connections to a selected server having a selected 
server IP address and a selected server port number 
from the plurality of servers; 
a packet interceptor which is operative to intercept incom- 
ing packets received at the client interface which have 
a packet destination IP address and a packet destination 
port number corresponding to a virtual machine IP 
address and a virtual machine port number which is 
supported by the packet translation system; 
a packet header translator which is operative to translate 
the packet destination IP address and the packet desti- 
nation port number of incoming packets to a physical 
machine IP address and a physical machine port num- 
ber that corresponds to the selected server IP address 
and the selected server port number which runs a real 
process corresponding to a virtual process simulated on 
the virtual port number; 
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whereby the packet translation system receives packets at 
the client interface and the packet destination IP 
address and the packet destination port number corre- 
sponding to the virtual machine IP address and the 
virtual machine port number are translated to the server 5 
IP address and the server port number and the packets 
are forwarded to the server via the server interface. 

12. A system as recited in claim 11, wherein the connec- 
tion distributor distributes connections to a selected server 
from the plurality of servers which is predicted to be the 10 
fastest server for handling the connection. 

13. A method for handling connections from clients on an 
external network to a plurality of IP addresses with a server 
having a server IP address and a plurality of server port 
numbers, each port number corresponding to a distinct one 15 
of the plurality of IP addresses comprising: 

receiving an incoming packet from a remote client, the 
incoming packet having a packet destination IP address 
and a packet destination port number corresponding to 
a virtual machine IP address and a virtual machine port 20 
number which is supported by the server; 

translating the packet destination IP address and the 
packet destination port number of incoming packets to 
a physical machine IP address and a physical machine 
port number that corresponds to the server IP address 25 
and the server port number of the server, the server 
running a real process corresponding to a virtual pro- 
cess simulated on the virtual port number; 

forwarding the packet to the server, the server being 3(J 
operative to establish a connection with the remote 
client; 

whereby packets are received and the packet destination 
IP address and the packet destination port number 
corresponding to the virtual machine IP address and the 35 
virtual machine port number are translated to the server 
IP address and the server port number and the packets 
are forwarded to the server. 

14. A method as recited in claim 13, further including: 
creating a connection database which includes for each 40 

connection, a connection object that stores a connection 
source IP address and a connection source port number, 
a connection virtual machine IP address and a connec- 
tion virtual machine port number, and a connection 
physical machine IP address and a connection physical 45 
machine port number, whereby the connection database 
provides all of the information required to translate the 
packet headers. 

15. A method as recited in claim 14, wherein the connec- 
tion objects are stored in a linked list. 50 

16. A method as recited in claim 14 further including 
searching the connection objects upon the receipt of an 
incoming packet using a hash of the connection source IP 
address and the connection virtual machine IP address. 
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17. A method as recited in claim 13, further including 
creating a virtual machine database including a plurality of 
virtual machine objects, each virtual machine object includ- 
ing a virtual machine object IP address and a virtual machine 
object port number for a virtual machine supported by the 
server. 

18. A method as recited in claim 17 wherein the plurality 
of virtual machine objects are stored in a linked list. 

19. A method as recited in claim 13, further including 
creating a physical machine database including a plurality of 
physical machine objects including a physical machine 
object IP address for plurality of physical machines. 

20. A method as recited in claim 19 wherein the plurality 
of physical machine objects are stored in a linked list. 

21. A method as recited in claim 13 further including 
rejecting packets having a packet destination IP address 
which corresponds to a virtual machine IP address of one of 
the virtual machines supported by the server and having a 
packet destination port which does not correspond to a 
virtual machine port of one of the virtual machines sup- 
ported by the server. 

22. A method as recited in claim 13, further including 
intercepting outgoing packets received at a server interface, 
the outgoing packets having a packet source IP address and 
a packet source port number; and translating the packet 
source IP address and the packet source port number of 
outgoing packets to a physical machine IP address and a 
physical machine port number that corresponds to the server 
IP address and the server port number of the server running 
a real process corresponding to a virtual process simulated 
on the virtual port number. 

23. A packet translation system for forwarding a packet to 
a server having a server IP address and two or more server 
ports, each corresponding to a distinct one of two or more 
defined virtual IP addresses, the packet having a packet 
destination IP address matching one of the two or more 
defined virtual IP addresses, the packet translation system 
comprising: 

a client interface to an external network, the client inter- 
face being operative to receive packets from a remote 
client; 

a server interface to the server, the server interface being 
operative to send packets to the server, the server being 
operative to handle packets sent from the remote client; 
and 

a packet translator which is operative to translate the 
packet destination IP address to the server IP address 
and to provide a destination port address to the packet, 
which destination port address is selected from the two 
or more ports and corresponds to the packet destination 
IP address. 

***** 
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